Configuring Shared Folder Permissions
I was helping someone configure some shares the other day for Migdata and Logs. I dug this up from the old BDD 2.5 documentation, it’s a good reference point for creating access to shares in order for computers to put files there.
After you have configured the SMS client access accounts, you need to configure the appropriate shared folder permissions. Ensure that unauthorized users are unable to access user state migration information and the deployment logs. Only the workstation creating the user state migration information and the deployment logs should have access to these folders.
To configure the shared folder permissions for each folder listed in Table 24, perform the following steps for each folder:
1. Start Windows Explorer and navigate to SharedFolder (where SharedFolder is one of the shared folders listed in Table 24).
2. Right-click SharedFolder (where SharedFolder is one of the shared folders listed in Table 24), and then click Properties.
3. On the Security tab, click Advanced.
4. On the Permissions tab, clear the Allow inheritable permissions from the parent to propagate to this object and all child objects check box.
5. When the Remove when prompted to either Copy or Remove the permission entries that were previously applied from the parent appears, click Remove.
6. On the Permissions tab, click Add.
7. In the Enter the object name to select text box, type Domain Computers, and then click OK.
This action allows domain computers to create subfolders.
8. On the Permission Entry for Text dialog box, in the Apply onto list, select This folder only.
9. On the Permission Entry for Text dialog box, in the Permissions list, select Allow for the Create Folders/Append Data permission, and then click OK.
10. Repeat steps 6– 9 substituting Domain Users for Domain Computers.
11. On the Permissions tab, click Add.
12. In the Enter the object name to select text box, type CREATOR OWNER, and then click OK.
This action allows domain computers and domain users to access the subfolders they create.
13. On the Permission Entry for Text dialog box, in the Apply onto list, select Subfolders and files only.
14. On the Permission Entry for Text dialog box, in the Permissions list, select Allow for the Full Control permission, and then click OK.
15. Repeat steps 11–13 for each group that you want to grant administrative privileges.
The permissions you set in these steps allow a workstation to connect to the appropriate share and create a new folder in which to store user state information or logs, respectively. The folder permissions prevent other users or computers from accessing the data stored in the folder.
Note The default permissions on the SMS distribution point shares should provide the appropriate resource access by default.